On November 24, 2025, local time, HelixGuard, an open-source security research lab that conducts research on supply chain malware and vulnerabilities, discovered that over 1,000 components in the NPM ...

Researchers have identified yet another malicious use for JavaScript packages hosted on the npm registry: hosting files required by automated phishing kits or slipping phishing pages into applications ...

The CursedGrabber malware has infiltrated the open-source software code repository. Three malicious software packages have been published to npm, a code repository for JavaScript developers to share ...

A series of malicious packages hidden within the Node Package Manager (npm), the largest software registry for JavaScript, has been uncovered. According to a new advisory published by FortiGuard on ...

According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were first detected on March 21 and steadily grew from roughly 50 malicious npm packages to over 200 in a matter of ...

The malware used in Shai-Hulud is capable of self-propagation, automatically infecting other packages managed by the maintainer of the infected package. It also harvests credentials from developer ...

A stream of malicious npm and PyPi packages have been found stealing a wide range of sensitive data from software developers on the platforms. The campaign started on September 12, 2023, and was first ...

Threat actors are finding new ways to insert invisible code or links into open source code to evade detection of software supply chain attacks. The latest example was found by researchers at ...